2016's Worst Passwords Are Just As Bad As 2015's (So Please Tell Me Yours Is Not On The List)

For the sixth year in a row, password management security company SplashData has scraped password dumps and scoured through the data to find the world’s most common passwords. This year’s compilation was drawn from over 5 million leaked emails. The passwords were mostly held by users in North America and Western Europe.

SplashData estimates that just over 10 percent of people use at least one of the 25 passwords from this year’s list, up from three percent in 2014. A whopping 4 percent use the worst password, 123456, and the list also includes multiple variations of ‘password,’ meaning that John Podesta wasn’t alone.

’123456′ and ‘password’ top the list, just as they did in 2014 and 2015.

All but one of the numeric patterns were in last year’s top 25 oft-repeated passwords, including ’12345,’ ’12345678,’ ’1234567890,’ ’1234567,’ and ’1234.’ New this year was ’121212.’

This year’s list included ‘Password’ and variations ‘passw0rd’ and the new but predicatble ‘password1.’ It also had some pretty obvious words: ‘qwerty,’ ‘login,’ ‘welcome,’ and ‘admin,’ another new one this year. Old favorites include ‘football,’ ‘princess,’ ‘solo,’ ‘abc123,’ ‘dragon,’ and ‘master.’

Other new words this year: ‘hottie,’ ‘loveme,’ ‘sunshine,’ and ‘flower.’ Oh, and ‘zaq1zaq1,’ which is what you get when you type up on the left column on a standard keyboard. (Yes, other people can figure that out.)

Many people wrongly assume that adding a ’0′ instead of an ‘O’ will make their password more secure, but SplashData CEO Morgan Slain says that’s not the case. “Making minor modifications to an easily guessable password does not make it secure, and hackers will take advantage of these tendencies,” he wrote in a press release. “Our hope is that by researching and putting out this list each year, people will realize how risky it is to use these common logins, and they will take steps to strengthen their passwords and use different passwords for different websites.”

“In our large-scale empirical analysis, it is evident that the commonly-used meters are highly inconsistent, fail to provide coherent feedback, and sometimes provide strength measurements that are blatantly misleading,” the study read.

Your best bet is the same as ever: create complex password phrases, and use a unique password for every account. That’s because reusing passwords on multiple accounts leaves all of your accounts vulnerable if just one gets hacked and the passwords get dumped. To make things easier, store your passwords in a password manager.

If you’re going to ignore password best practices, one way to be a little more secure is to set up two-factor authentication, at least on your email account. Two-factor authentication is a way to keep you safe from someone nefariously trying to reset your password. It adds an extra layer of security by asking for a second factor, in addition to your username and password, to prove your identity. This might be a numeric code sent to you via text message, a code generated on a phone app like Google Authenticator, or a Yubikey, a small hardware device that can be used to secure passwords on some sites or accounts. (Gmail allows users to print out one-time codes, in case you lose your phone or have it turned off because you’re on an airplane.)

If someone tries to reset your password and you have 2FA enabled, it’ll be much harder for them to gain access to your account. And if you have 2FA on your email account, this would at least stop a malicious actor from being able to reset all of your other passwords—unless they can crack them, that is.